Hi Tobias, Thank you for taking care of packages with open security issues, but I'm wondering why you chose to do an immediate NMU. I planed uploading 2.6.9-1 today following the usual process we agreed on with the Security Team and I believe fixing this bug after 4 days it was opened is not an excessive amount of delay especially since two days were on a weekend.
Thanks, Balint On Mon, May 27, 2019 at 4:45 PM Debian Bug Tracking System <ow...@bugs.debian.org> wrote: > > Your message dated Mon, 27 May 2019 14:42:22 +0000 > with message-id <e1hvgps-0009xj...@fasolo.debian.org> > and subject line Bug#929446: fixed in wireshark 2.6.8-1.1 > has caused the Debian Bug report #929446, > regarding wireshark: CVE-2019-12295 > to be marked as done. > > This means that you claim that the problem has been dealt with. > If this is not the case it is now your responsibility to reopen the > Bug report if necessary, and/or fix the problem forthwith. > > (NB: If you are a system administrator and have no idea what this > message is talking about, this may indicate a serious mail system > misconfiguration somewhere. Please contact ow...@bugs.debian.org > immediately.) > > > -- > 929446: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929446 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > > > > ---------- Forwarded message ---------- > From: Salvatore Bonaccorso <car...@debian.org> > To: Debian Bug Tracking System <sub...@bugs.debian.org> > Cc: > Bcc: > Date: Thu, 23 May 2019 19:56:24 +0200 > Subject: wireshark: CVE-2019-12295 > Source: wireshark > Version: 2.6.8-1 > Severity: grave > Tags: security upstream > Forwarded: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778 > Control: found -1 2.6.7-1~deb9u1 > > Hi, > > The following vulnerability was published for wireshark. > > CVE-2019-12295[0]: > | In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the > | dissection engine could crash. This was addressed in epan/packet.c by > | restricting the number of layers and consequently limiting recursion. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-12295 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12295 > [1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778 > [2] https://www.wireshark.org/security/wnpa-sec-2019-19.html > > Regards, > Salvatore > > > > ---------- Forwarded message ---------- > From: "Dr. Tobias Quathamer" <to...@debian.org> > To: 929446-cl...@bugs.debian.org > Cc: > Bcc: > Date: Mon, 27 May 2019 14:42:22 +0000 > Subject: Bug#929446: fixed in wireshark 2.6.8-1.1 > Source: wireshark > Source-Version: 2.6.8-1.1 > > We believe that the bug you reported is fixed in the latest version of > wireshark, which is due to be installed in the Debian FTP archive. > > A summary of the changes between this version and the previous one is > attached. > > Thank you for reporting the bug, which will now be closed. If you > have further comments please address them to 929...@bugs.debian.org, > and the maintainer will reopen the bug report if appropriate. > > Debian distribution maintenance software > pp. > Dr. Tobias Quathamer <to...@debian.org> (supplier of updated wireshark > package) > > (This message was generated automatically at their request; if you > believe that there is a problem with it please contact the archive > administrators by mailing ftpmas...@ftp-master.debian.org) > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Format: 1.8 > Date: Mon, 27 May 2019 16:08:44 +0200 > Source: wireshark > Architecture: source > Version: 2.6.8-1.1 > Distribution: unstable > Urgency: medium > Maintainer: Balint Reczey <rbal...@ubuntu.com> > Changed-By: Dr. Tobias Quathamer <to...@debian.org> > Closes: 929446 > Changes: > wireshark (2.6.8-1.1) unstable; urgency=medium > . > * Non-maintainer upload. > * CVE-2019-12295 > In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, > the dissection engine could crash. This was addressed in > epan/packet.c by restricting the number of layers and > consequently limiting recursion. (Closes: #929446) > Checksums-Sha1: > 638a99183f0251eae3adcddc57e683e3b925ec84 3531 wireshark_2.6.8-1.1.dsc > 55c82bbb3e02077378a512f69f6ff8e0f4dcc5cf 71716 > wireshark_2.6.8-1.1.debian.tar.xz > e4ea88d8c0ddfbc1e510b9c76d088d2229e2eebc 25763 > wireshark_2.6.8-1.1_amd64.buildinfo > Checksums-Sha256: > 71f0a3be5a1360c0b2e60eda3f71fc9d771254099e2296ed0839679c61f41b5a 3531 > wireshark_2.6.8-1.1.dsc > 4161d9c12abceb7ffce74e581b5762f4ee49f947b06fb690b408a95be1c8bd2c 71716 > wireshark_2.6.8-1.1.debian.tar.xz > 8f16585bc19d4455fcd4ae73c811e8494d7211a1dada520252db807480b54941 25763 > wireshark_2.6.8-1.1_amd64.buildinfo > Files: > 00b410721d6db832f99b54d345fe28ae 3531 net optional wireshark_2.6.8-1.1.dsc > 6c5f09f829283d29f4d3211f40839c5d 71716 net optional > wireshark_2.6.8-1.1.debian.tar.xz > 821834ae84ee480417346744f29fe2aa 25763 net optional > wireshark_2.6.8-1.1_amd64.buildinfo > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAlzr8vwACgkQEwLx8Dbr > 6xk4Ag/+JpqEK+LFiT40ZkBPOobmDZlGSdNcimDcdKQJQ49HBzo/im11w9w/Udxf > ZCy8bVGqZWLvKuzE0zsY6uCMG0uZxRAX8W8xyKGKNHxiInyNM2NkabZvkifBRg+V > WcY8BsjHRS5kpP7grlDA4wkoG1y8StVLhNXmt45bmySaylpw7Fc7VVPKKd8gStSJ > nT82ifOaTqsdV2YcJaoLlWl7+Z5N/O8xVuT9uB76zzC10pPyXQq461Mcf+GYvNLm > CIQo1mLG2DQzxM8TDDKfk2UMWjutK21IIvCM1BGPPOTiESmapIVhmX2vX3pRrLoR > /0dr2p2tJwiEsQ7iKD7CwJmtQ3kgQBojCbillRbSyKvHCL1pWImIKAlGQouxid53 > 0VAa07lyzFeLsHDcACRX/hVG7TZt86H6fw5wmHTKKD4hsP/3klIkKymsXaKu3bGi > hbnsjhCnNG+DZLoxNv/cH5KMTpWdBneuT80wGqmpcsKBdlmp5U7HlJM/4fcxXAqn > sRRauNxvgSWMIQMYmIj3fferJfjBbwYNWj3p82ED+evAueHFkHdN7Sv0qrbwc2dO > 0yM+Ez/L1ocqsLA98DgxLq4jPKHBV+RAsthPvy6mYRJplcyW07KYMzwR6zNgIwN2 > cdw8XND8PBf5FjaFCHIP3F/6kZ/1DVuyyuecdQ91OYfczyoy5Rk= > =Glfy > -----END PGP SIGNATURE----- -- Balint Reczey Ubuntu & Debian Developer
